Merge branch 'main' into enable-slack-websocket

.github/actions/pnpm-node-install/action.yaml

@@ -5,11 +5,18 @@ inputs:
   node-version:
     description: Node.js version
     required: true
+    default: '22.7.0'
   pnpm-version:
     description: pnpm version
     required: true
+    default: '9.7.0'
+  pnpm-skip-install:
+    description: Skip install.
+    required: false
+    default: 'false'
   pnpm-install-args:
     description: Extra arguments for pnpm install, e.g. --no-frozen-lockfile.
+    default: '--frozen-lockfile'
 
 runs:
   using: composite
@@ -25,3 +32,5 @@ runs:
     - name: Install JS dependencies
       run: pnpm install ${{ inputs.pnpm-install-args }}
       shell: bash
+      # Skip install if pnpm-skip-install is true
+      if: ${{ inputs.pnpm-skip-install != 'true' }}

.github/actions/poetry-python-install/action.yaml

@@ -5,9 +5,11 @@ inputs:
   python-version:
     description: Python version
     required: true
+    default: '3.9'
   poetry-version:
     description: Poetry version
     required: true
+    default: '1.8.3'
   poetry-working-directory:
     description: Working directory for poetry command.
     required: false

.github/workflows/ci.yaml

@@ -4,9 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
   pull_request:
-    branches: [main, dev]
+    branches: [main, dev, 'release/**']
   push:
-    branches: [main, dev]
+    branches: [main, dev, 'release/**']
 
 permissions: read-all
 
@@ -20,10 +20,13 @@ jobs:
   e2e-tests:
     uses: ./.github/workflows/e2e-tests.yaml
     secrets: inherit
+  lint-ui:
+    uses: ./.github/workflows/lint-ui.yaml
+    secrets: inherit
   ci:
     runs-on: ubuntu-latest
     name: Run CI
-    needs: [mypy, pytest, e2e-tests]
+    needs: [mypy, pytest, lint-ui, e2e-tests]
     steps:
       - name: Done
         run: echo "Done"

.github/workflows/e2e-tests.yaml

@@ -13,22 +13,20 @@ jobs:
     env:
       BACKEND_DIR: ./backend
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/pnpm-node-install
         name: Install Node, pnpm and dependencies.
         with:
-          node-version: 22.7.0
-          pnpm-version: 9.7.0
-          pnpm-install-args: --no-frozen-lockfile
+          pnpm-skip-install: true
+      - name: Install depdendencies and Cypress
+        uses: cypress-io/github-action@v6
+        with:
+          runTests: false
       - uses: ./.github/actions/poetry-python-install
         name: Install Python, poetry and Python dependencies
         with:
-          python-version: 3.9
-          poetry-version: 1.8.3
           poetry-working-directory: ${{ env.BACKEND_DIR }}
           poetry-install-args: --with tests
-      - name: Lint UI
-        run: pnpm run lintUi
       - name: Run tests
         env:
           CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}

.github/workflows/lint-ui.yaml

@@ -0,0 +1,17 @@
+name: LintUI
+
+on: [workflow_call]
+
+permissions: read-all
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/pnpm-node-install
+        name: Install Node, pnpm and dependencies.
+      - name: Build UI
+        run: pnpm run buildUi
+      - name: Lint UI
+        run: pnpm run lintUi

.github/workflows/mypy.yaml

@@ -10,12 +10,10 @@ jobs:
     env:
       BACKEND_DIR: ./backend
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: ./.github/actions/poetry-python-install
         name: Install Python, poetry and Python dependencies
         with:
-          python-version: 3.9
-          poetry-version: 1.8.3
           poetry-install-args: --with tests --with mypy --with custom-data --no-root
           poetry-working-directory: ${{ env.BACKEND_DIR }}
       - name: Run Mypy

.github/workflows/publish.yaml

@@ -23,25 +23,20 @@ jobs:
       contents: read
       id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: main
       - uses: ./.github/actions/pnpm-node-install
         name: Install Node, pnpm and dependencies.
         with:
-          node-version: 22.7.0
-          pnpm-version: 9.7.0
           pnpm-install-args: --no-frozen-lockfile
       - uses: ./.github/actions/poetry-python-install
         name: Install Python, poetry and Python dependencies
         with:
-          python-version: 3.9
-          poetry-version: 1.8.3
           poetry-working-directory: ${{ env.BACKEND_DIR }}
-      - name: Copy readme to backend
-        run: cp README.md backend/
-      - name: Build chainlit
-        run: pnpm run build
+      - name: Build Python distribution
+        run: poetry self add poetry-plugin-ignore-build-script && poetry build --ignore-build-script
+        working-directory: ${{ env.BACKEND_DIR }}
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:

.github/workflows/pytest.yaml

@@ -14,25 +14,18 @@ jobs:
     env:
       BACKEND_DIR: ./backend
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/pnpm-node-install
+        name: Install Node, pnpm and dependencies.
       - uses: ./.github/actions/poetry-python-install
         name: Install Python, poetry and Python dependencies
         with:
           python-version: ${{ matrix.python-version }}
-          poetry-version: 1.8.3
-          poetry-install-args: --with tests --with mypy --with custom-data --no-root
+          poetry-install-args: --with tests --with mypy --with custom-data
           poetry-working-directory: ${{ env.BACKEND_DIR }}
       - name: Install fastapi ${{ matrix.fastapi-version }}
         run: poetry add fastapi@^${{ matrix.fastapi-version}}
         working-directory: ${{ env.BACKEND_DIR }}
-      - uses: ./.github/actions/pnpm-node-install
-        name: Install Node, pnpm and dependencies.
-        with:
-          node-version: 22.7.0
-          pnpm-version: 9.7.0
-          pnpm-install-args: --no-frozen-lockfile
-      - name: Build UI
-        run: pnpm run buildUi
       - name: Run Pytest
         run: poetry run pytest --cov=chainlit/
         working-directory: ${{ env.BACKEND_DIR }}

CHANGELOG.md

@@ -4,6 +4,110 @@ All notable changes to Chainlit will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [1.3.1] - 2024-10-25
+
+### Security Advisory
+
+- **IMPORTANT**: This release temporarily reverts the file access security improvements from 1.3.0 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
+- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release.
+
+### Changed
+
+- Reverted authentication requirements for file access endpoints to restore element functionality (#1474)
+
+### Development
+
+- Work in progress on implementing HTTP-only cookie authentication for proper security (#1472)
+
+## [1.3.0] - 2024-10-22
+
+### Security
+
+- Fixed critical endpoint security vulnerabilities (#1441)
+- Enhanced authentication for file-related endpoints (#1431)
+- Upgraded frontend and backend dependencies to address security issues (#1431)
+
+### Added
+
+- SQLite support in SQLAlchemy integration (#1319)
+- Support for IETF BCP 47 language tags, enabling localized languages like es-419 (#1399)
+- Environment variables `OAUTH_<PROVIDER>_PROMPT` and `OAUTH_PROMPT` to
+override oauth prompt parameter. Enabling users to explicitly enable login/consent prompts for oauth, e.g. `OAUTH_PROMPT=consent` to prevent automatic re-login. (#1362, #1456).
+- Added `get_element()` method to SQLAlchemyDataLayer (#1346)
+
+### Changed
+
+- Bumped LiteralAI dependency to version 0.0.625 (#1376)
+- Optimized LiteralDataLayer for improved performance and consistency (#1376)
+- Refactored context handling in SQLAlchemy data layer (#1319)
+- Updated package metadata with correct authors, license, and documentation links (#1413)
+- Enhanced GitHub Actions workflow with restricted permissions (#1349)
+
+### Fixed
+
+- Resolved dialog boxes extending beyond window bounds (#1446)
+- Fixed tasklist functionality when Chainlit is submounted (#1433)
+- Corrected handling of `display_name` in PersistentUser during authentication (#1425)
+- Fixed SQLAlchemy identifier quoting (#1395)
+- Improved spaces handling in avatar filenames (#1418)
+
+### Development
+
+- Implemented extensive test coverage for LiteralDataLayer and SQLAlchemyDataLayer
+- Added comprehensive unit tests for file-related endpoints
+- Enhanced code organization and import structure
+- Improved Python code style and linting (#1353)
+- Resolved various small text and documentation issues (#1347, #1348)
+
+## [2.0.dev2] - 2024-10-25
+
+### Security Advisory
+
+- **IMPORTANT**: This release temporarily reverts the file access security improvements from 2.0.dev1 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
+- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release.
+
+### Changed
+
+- Reverted authentication requirements for file access endpoints to restore element functionality (#1474)
+
+### Development
+
+- Work in progress on implementing HTTP-only cookie authentication for proper security (#1472)
+
+## [2.0.dev1] - 2024-10-22
+
+### Added
+
+- Interactive DataFrame display component using MUI Data Grid (#1373)
+- Optional websocket connection in react-client (#1379)
+- Current URL in message payload (#1403)
+- Improved image interaction - clicking opens popup with download option (#1402)
+- Configurable user session timeout (#1032)
+
+### Security
+
+- Fixed file access vulnerability in get_file and upload_file endpoints (#1441)
+- Added authentication to /project/file endpoint (#1441)
+- Addressed security vulnerabilities in frontend dependencies (#1431, #1414)
+
+### Fixed
+
+- Dialog boxes extending beyond window (#1446)
+- Allow empty chat input when submitting attachments (#1261)
+- Tasklist when Chainlit is submounted (#1433)
+- Spaces in avatar filenames (#1418)
+- Step argument input and concurrency issues (#1409)
+- Display_name copying to PersistentUser during authentication (#1425)
+
+### Development
+
+- Refactored storage clients into separate modules (#1363)
+- Support for IETF BCP 47 language tags (#1399)
+- Improved GitHub Actions workflows and build process (#1445)
+- Direct installation from GitHub support (#1423)
+- Extended package metadata with homepage and documentation links (#1413)
+- Various backend fixes and code cleanup (#1432)
+
 ## [2.0.dev0] - 2024-10-08
 
 ### Breaking Changes
@@ -40,36 +144,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Added new wavtools directory with various audio processing utilities
 - Implemented new AudioWorklet processors for more efficient audio handling
 
-## [1.3.0rc0] - 2024-10-02
-
-### Added
-
-- SQLite support in SQLAlchemy integration (#1137)
-- Extensive test coverage for LiteralDataLayer and SQLAlchemyDataLayer
-- `get_element()` method to SQLAlchemyDataLayer (#1346)
-
-### Changed
-
-- Bumped LiteralAI dependency to version 0.0.625 (#1376)
-- Refactored LiteralDataLayer for improved performance and consistency
-- Refactored context handling in SQLAlchemy data layer (#1319)
-- Enhanced GitHub Actions workflow with restricted permissions (#1349)
-
-### Fixed
-
-- Resolved issues with SQLite database support (#1137)
-- Addressed automatic OAuth login after logout (#1362)
-- Various code style and linting improvements (#1353, #1348, #1347)
-
-### Development
-
-- Implemented LiteralToChainlitConverter class for handling conversions
-- Added comprehensive unit tests for data layer components
-- Improved import structure and removed unused imports
-- Updated README with latest project information (#1351)
-
-We encourage users to thoroughly test this release candidate, particularly the LiteralAI integration and history features, and provide feedback before the final 1.3.0 release.
-
 ## [1.2.0] - 2024-09-16
 
 ### Security

backend/README.md

@@ -18,7 +18,7 @@ Chainlit is an open-source async Python framework which allows developers to bui
 
 Full documentation is available [here](https://docs.chainlit.io). You can ask Chainlit related questions to [Chainlit Help](https://help.chainlit.io/), an app built using Chainlit!
 
-> [!NOTE]  
+> [!NOTE]
 > Check out [Literal AI](https://literalai.com), our product to monitor and evaluate LLM applications! It works with any Python or TypeScript applications and [seamlessly](https://docs.chainlit.io/data-persistence/overview) with Chainlit by adding a `LITERAL_API_KEY` in your project.
 >
 > Chainlit is developed and maintained by the Literal AI team, which is currently focused on expanding the capabilities of Literal AI. While we continue to support and maintain Chainlit, we are also committed to enabling the community to contribute, particularly in areas like integrations and data layers.
@@ -43,7 +43,7 @@ If this opens the `hello app` in your browser, you're all set!
 The latest in-development version can be installed straight from GitHub with:
 
 ```sh
-pip install git+https://github.com/Chainlit/chainlit.git@dokterbob/build_frontend_on_poetry_build#subdirectory=backend/
+pip install git+https://github.com/Chainlit/chainlit.git#subdirectory=backend/
 ```
 
 (Requires Node and pnpm installed on the system.)

backend/build.py

@@ -6,7 +6,9 @@
 
 
 def pnpm_install(project_root, pnpm_path):
-    subprocess.run([pnpm_path, "install"], cwd=project_root, check=True)
+    subprocess.run(
+        [pnpm_path, "install", "--frozen-lockfile"], cwd=project_root, check=True
+    )
 
 
 def pnpm_buildui(project_root, pnpm_path):

backend/chainlit/auth.py

@@ -52,7 +52,9 @@ def create_jwt(data: User) -> str:
     to_encode: Dict[str, Any] = data.to_dict()
     to_encode.update(
         {
-            "exp": datetime.utcnow() + timedelta(minutes=60 * 24 * 15),  # 15 days
+            "exp": datetime.utcnow() + timedelta(
+                seconds=config.project.user_session_timeout
+            ),
         }
     )
     encoded_jwt = jwt.encode(to_encode, get_jwt_secret(), algorithm="HS256")